Engadget RSS Feedhttps://www.engadget.com/tag/javascript/rss.xml
https://www.blogsmithmedia.com/www.engadget.com/media/feedlogo.gif?cachebust=trueEngadget RSS Feedhttps://www.engadget.com/tag/javascript/rss.xml
en-usEngadget is a web magazine with obsessive daily coverage of everything new in gadgets and consumer electronicsCopyright 2018 AOL Inc. The contents of this feed are available for non-commercial use only.https://www.engadget.com/2018/05/21/intel-details-fourth-spectre-style-cpu-exploit/https://www.engadget.com/2018/05/21/intel-details-fourth-spectre-style-cpu-exploit/https://www.engadget.com/2018/05/21/intel-details-fourth-spectre-style-cpu-exploit/#comments

Intel said it was expanding its bug bounty program to help find more Spectre-like processor security flaws, and unfortunately it just found one. The company (along with Google and Microsoft) has disclosed a fourth exploit (simply titled Variant 4) that once again uses speculative execution to expose some data through a side channel. The attack is so far known to work in a "language-based runtime environment" like the sort you'd see in a web browser (say, JavaScript), although Intel hadn't seen evidence of successful browser-based exploits.

Facebook is looking into a security report that reveals Facebook user data can be snatched by JavaScript trackers if they're planted in websites that let users log in with their Facebook credentials. Not just their name and email address, either: The exploit catches age range, gender, locale and possibly a profile photo too, depending on how much access the user allowed said website. Once someone logs in, any third-party JavaScript can supposedly retrieve their info at will.

Google's incubator for employees' "20 percent time" side projects, Area 120, typically produces fun things like an app to make YouTube more social and expanding Smart Replies. Now the workshop has released an app to help beginners learn to code in Javascript, which could be helpful for novices who want to build websites.

Kode with Klossy, Karlie Kloss' coding camp for girls, is expanding this year. Last year, the program offered 15 camps in 12 cities, but this summer, it's running 50 camps in 25 cities and will teach 1,000 young women between the ages of 13 and 18 about coding. Founded by Kloss in 2015, the free, two-week camp instructs attendees on front-end and back-end software engineering and covers Ruby, Javascript, HTML and CSS coding languages. This year, the camp is also adding Swift to its curriculum. "This year, we've also got a really exciting new track on Swift, so the girls at our camps not only learn the ABCs of code, but real-world examples of tech that touches our lives today," Kloss told Mashable. "They're learning what a loop is or how to interpolate using concepts or ideas that touch their lives, like Instagram, Twitter or Postmates."

Earlier this week, Adobe announced it would cease support and development of Flash at the end of 2020, a decision that had many people saying, "Finally." The "Flash is dead" rhetoric has been around for years, and people like Facebook's chief security officer, Alex Stamos, have called for Adobe to set an end-of-life date for some time. Well, it finally has, and Adobe tells Engadget that the transition out has been planned for several years.

You may remember Brendan Eich, the former CEO of Mozilla who stepped down amid political backlash surrounding his support for an anti-gay marriage bill in California. Well, he's back, and he has cash to burn: His new browser startup, Brave, raised $35 million in under 30 seconds, reports TechCrunch.

He was able to accomplish such a dramatic feat because of initial coin offerings, or ICOs. It's similar to an IPO (initial public offering) that occurs when a private company sells stock to the public for the first time. An ICO fundraises for a company but uses cryptocurrency rather than traditional cash.

If you want to email a .js file to somebody for any reason, you only have a few more days to do so through Gmail. The service will start blocking JavaScript file attachments starting on February 13th, adding it to its list of restricted file types, which includes .exe, .msc and .bat. If you try to attach a .js file on or after the 13th, you'll get a notification that says it's blocked "because its content presents a potential security issue."

Unless you still use Internet Explorer (and please don't do that), you probably don't have to worry about new malware discovered by Eset researchers. However, the Stegano exploit kit shows how adept hackers have become at slipping infected ads past major networks and then hiding the malware from discovery. It's been operating stealthily for the last two years and specifically targeting corporate payment and banking services.

An Arizona teen is discovering why you should think very carefully about sharing exploits online: you don't know what people will do with them... or in some cases, that you're sharing the right exploits. Phoenix police have arrested 18-year-old Meetkumar Hitesbhai Desai on computer tampering charges after he publicly posted a version of iOS-based JavaScript attack that he thought would only deliver annoying pop-ups, but actually made bogus 911 calls. In the Phoenix region, there were so many hang-up calls (there were 1,849 link clicks in total) that there was the "potential danger" of emergency phone services going down, the Maricopa County Sheriff's Office says. California and Texas police saw call spikes, too.

Some web-based exploits are more dangerous than others... and unfortunately, this is one of the nasty ones. Security researchers at KU Leuven have discovered an attack technique, HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), that helps compromise an encrypted website using only a JavaScript file hidden in a maliciously-crafted ad or page. Unlike many similar attacks, you don't need a man-in-the-middle spot to make this work -- it can gauge the size of an encrypted response (and thus enable an attack) all on its own. Combine it with another technique and it's relatively easy to pluck sensitive info from encrypted data traffic, such as email addresses and banking details.

]]>
blackhat2016cultureencryptionexploitgearheisthttpsinternetjavascriptsecurityvulnerabilitywebWed, 03 Aug 2016 18:04:00 -040021|21444498https://www.engadget.com/2016/04/09/el-capitan-imessage-javascript-bug/https://www.engadget.com/2016/04/09/el-capitan-imessage-javascript-bug/https://www.engadget.com/2016/04/09/el-capitan-imessage-javascript-bug/#comments
Researchers explained one large security hole in Apple's iMessage app that received a patch last month, but until now we didn't have details on another vulnerability fixed at the same time. By tricking users into clicking a specially-crafted link, hackers could gain access to the usually encrypted communications in OS X El Capitan's Messages. "You don't need a graduate degree in mathematics to exploit it, nor does it require advanced knowledge of memory management, shellcode or ROP chains," according to security researchers at Bishop Fox -- just knowledge of basic JavaScript.

People with dyslexia can tell you about their frustrations with reading, but it's hard to really understand their condition without witnessing it first-hand. Well, you now have a quick and easy way to empathize with their situation: a developer has posted a web-based approximation of dyslexic reading (based on a friend's description) that uses little more than JavaScript to generate the effect. Letters constantly jump around, forcing you to concentrate on each word to make sense of what you're reading -- you can't just skim over it like you would otherwise. The source code is readily available, so you can implement it yourself if you want to see how the effect applies on other websites or within apps.

While many of us bristle at the sight of Comic Sans (this writer included), coders have an altogether different view of typefaces and how they're presented. Thus, Operator Mono, the new font from one of the highest-regarded typeface-creators that was forged to make life easier for the folks who build the websites you visit. "In developing Operator, we found ourselves talking about Javascript and CSS," founder Jonathan Hoefler writes. While the blog post about typography and font faces can come off as a bit pretentious, it's clear that the team paid attention to how the likes of brackets, commas and semicolons are spaced and how they appear in back-end coding environments.

Hackers have discovered a critical exploit in Chrome for Android reportedly capable of compromising virtually every version of Android running the latest Chrome. Quihoo 360 researcher Guang Gong demonstrated the vulnerability to the PSN2OWN panel at the PacSec conference in Tokyo yesterday. While the inner workings of the exploit are still largely under wraps, we do know that it leverages JavaScript v8 to gain full administrative access to the victim's phone.

Yesterday, someone noticed that an ad from a Russian news site was exploiting a serious vulnerability in the Firefox browser. According to a Mozilla security post, the attacker was able to bypass the browser's "origin policy" (its front line of security), inject a malicious javascript script and download sensitive local files to a server in the Ukraine. Mozilla said the attack was "surprisingly developer-focused for an exploit launched a general audience news site," because it hunted browser and FTP configuration files. It added that the "exploit leaves no trace that it has run on the local machine."

You might want to be more cautious the next time you click on an internet image link sent by a stranger -- much like the pirate cat photo you see above, that adorable picture could be hiding something sinister. Security researcher Saumil Shah has developed a security exploit that uses steganography to slip malicious JavaScript code into an image file. If you happen to view the picture in a vulnerable web browser, it opens the door to installing malware or directly hijacking your computer. And this sort of attack is definitely usable in the real world, as Motherboardfound out first-hand.

One of the biggest threats to your online privacy is the mixture of code that you'll find on some websites. It's all too easy for a legit-looking page to hide data-stealing code, or for innocent sites to accidentally expose your info. If Google, Mozilla and researchers have their way, though, you won't have to worry quite so much about where that info is going. Their new COWL (Confinement with Origin Web Labels) system prevents JavaScript from sharing data with outside websites that aren't explicitly approved; even when the data gets the all-clear, it won't necessarily spread anywhere else. In theory, it should be harder for ne'er-do-wells to hijack a page and grab sensitive content without your knowledge, or simply for you to lose control of where that content goes.

Programming languages can be daunting to learn, especially if you're a kid who'd rather be playing games than creating them. Thankfully, ThoughtSTEM has found a way to make coding both accessible and entertaining in one shot. Its upcoming LearnToMod software teaches you how to write JavaScript code by producing Minecraft mods that are appropriate to your skill level. If you're just starting out, you can use building blocks of code that produce simple-yet-fun features, such as a bow that shoots teleporters. Advanced students, meanwhile, can write in raw JavaScript and produce content that you wouldn't think was possible in Minecraft's cuboid universe, such as a Tetris mini-game.

Uber's car service lets you rate your drivers, but it also lets them rate you. The customer might always be right, but some customers are simply jerks -- and the system lets drivers know what they might be in for. Until now, there's been no way to draw out your customer rating from the app, but with a little Javascript magic, courtesy of Aaron Landy, you can cajole Uber's mobile site into spitting out your rating, out of 5. Log into Uber's mobile site, then open the console (for Chrome: View -> Developer -> Javascript Console from the drop-down menu), and paste some javascript code in. The browser will reload, and you'll need to paste the code again. Another reload, and a popup will offer up your user details and your passenger rating. The hack might even the odds a little: drivers have been able to see how passengers have ranked their rides for a while. It's like leaving feedback on eBay all over again.

Update: It appears Uber noticed the sudden influx to its mobile site and has now patched the JavaScript 'hack.'

So far, sophisticated 3D web games have typically required either a plugin (think Quake Live) or a special environment where they can run native code. While those are just dandy, they aren't really web games, are they? That's going to change shortly, as Trendy Entertainment has revealed plans to launch truly web-based versions of both Dungeon Defenders Eternity and the upcoming Dungeon Defenders II. Both Unreal Engine-based titles use a mix of open standards like WebGL, Web Audio and Mozilla's heavily tuned JavaScript web code (asm.js) to handle desktop-level 3D and sound in your browser at "near native" speeds. You may not notice the difference at all, provided you're on a reasonably quick PC.

When it comes to surfing the web, our options are limited: the market is dominated by three or four mainstream web browsers, all of which share major similarities in design and function. Unless you want to build your own browsing program, you're stuck with their modern browsing paradigms. For San Francisco programmer Stanislas Polu, that wasn't good enough, so, he created Breach -- an open source modular web browser designed to allow anybody to tweak and modify it on a whim.

If you're a Tweetdeck user and can't login right now -- there's a reason. The service's webapp contained a vulnerability that let it run scripts embedded in tweets; just reading a tweet could cause a popup to appear on your screen, redirect you to another website, hijack your account or even cause you to retweet something without knowing. Since Tweetdeck is used by many of the social media managers for widely-followed accounts, a flaw that spreads itself could quickly replicate across the service.The official Tweetdeck account claimed the vulnerability was fixed earlier, but that doesn't appear to have worked, and as a result, Twitter has taken the service down "to assess today's earlier security issue." Even though you can't login right now, it would probably be a good idea to revoke the service's access to your account entirely until things are resolved.

Sure, you could spend a while trying to solve the Rubik's Cube in Google's new Doodle, but that may get a little dry. Google was clearly prepared for that eventuality, though: it has just launched the Cube Lab, a Chrome experiment that lets you build your own internet-based puzzle. So long as you're good with modern web code, you can produce a unique Rubik's Cube with its own artwork, effects and even logic. The 808 Cube is all about music-making, for instance. Even if you're not a programmer, it's worth checking out the ready-made Lab examples to have some fun. We just wish we'd had this when we were kids -- it would have kept us playing with Rubik's Cubes long after the original got buried in the closet.

Up until now, the most we'd heard about the next rumored update to Microsoft's Windows Phone OS centered on two features: Cortana, the company's Siri-like digital assistant, and Action Center, its native notification center. Today, however, we have a clearer idea of where Windows Phone 8.1 could be headed thanks to a Reddit user who's allegedly gained access to the new SDK as part of Microsoft's developer preview program.

Dungeon Defenders developer Trendy Entertainment and its new indie subsidiary Nom Nom Games announced a new cross-platform, RPG-like shooter called Monster Madness Online today. The free-to-play game places combatants in the shoes of one of four minors in Suburbia City, which has been overrun by invading Martians whose powerful Monster Tokens apparently don't affect the kids of the town.

Monster Madness Online is billed as the first 3D action game to use Mozilla's asm.js technology, which enables Nom Nom Games to take advantage of a higher level of JavaScript development. This offers developers the ability to insert physics, 3D graphics, multiplayer networking, advanced animation and other beefier game elements into their browser-based projects without the use of a proprietary plugin.

Trendy Entertainment Co-Founder and CTO Jeremy Stieglitz explained the developer's use of asm.js in a separate trailer, found after the break. The game is expected to fully launch in May 2014 for PC, Mac, Linux, Android, iOS and any web browser of choice. An online, pre-alpha PvP version of Monster Madness Online is available to try out now on the game's website.
]]>
actionandroidannouncementasm-jsbrowserbrowser-baseddungeon-defendersfree-to-playiosipadiphonejavascriptlinuxmacmobilemonster-madness-onlinemozillanom-nom-gamespcrelease-daterpgscreenshotsshootertrailertrendy-entertainmentFri, 13 Dec 2013 01:00:00 -050011|20787408